Skip to Content

RZ20 Display-only

I added the trnaction RZ20 and assigned authority object S_RZL_ADM with activity 03 (Display only) to a role.
Even having only display authorization this user is allowed to change (delete,save,copy.etc) the method.
What did I miss to allow the it as display-only authorization?

Thank you.

Jhiosa

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Feb 22, 2017 at 11:37 PM

    Have you confirmed that the user isn't getting the extra authorizations from another role assignment?

    Add comment
    10|10000 characters needed characters exceeded

  • Mar 02, 2017 at 02:29 AM

    HI Fraser,

    Thank you for responding the mis-tagged. I checked the other related authorization and that they are all in display access.

    I was informed that I can implement the attached note 2382409 - Optimization of authority concept in RZ20 to be able to access RZ20 as Display-only role.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Mar 02, 2017 at 11:55 PM

    Note that the S_RZL_ADM concept is slightly tricky: You can execute external OS programs with this authorization. When doing so from ABAP, the application executing the program must decide whether the external program is relatively harmless and does not change anything (ACTVT = '03') or whether it contains functions which are potentially critical or can start any external program (ACTVT = '01').

    SM36 for example only checks '01', as outside of logical commands, it cannot know or control what the external program does. In contrast, if the application runs a specific external program and knows what is does and classes it as non-critical, then it should check '03'.

    But those are the only two values available and non-critical does not necessarily mean display only.

    So you are sometimes stuck between a rock and a hard place...

    Best practice is to use S_LOG_COM or an auth object closer to the application within the application and then let the OS access (like the DB access) be authorization neutral.

    Cheers,

    Julius

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Apr 03, 2017 at 02:57 PM

    Hi Jhiosa,

    You can set a trace (Transaction ST01) for your user to know which authorization objects allow to you to do it.

    After that you can check in transaction SUIM what this is the role assigned to you that contains this authorization object.

    Kind regards,

    Maria

    Add comment
    10|10000 characters needed characters exceeded